Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

SSH Publickey accepted but still prompted for username/password?

Problem Description (User: Michael):

Trying to ssh from our QNAP to our switches and copy the running-config.

These tests are on an SG-300. When ready well be doing the same thing on all of our 2960's. So maybe the SG300 is the problem. Who knows, anyways..


debug1: Next authentication method: publickey

debug1: Trying private key: /share/MD0_DATA/XXX/.ssh/identity

debug1: Offering public key: /share/MD0_DATA/XXX/.ssh/id_rsa

debug1: Server accepts key: pkalg ssh-rsa blen 277

debug1: read PEM private key done: type RSA

debug1: Authentication succeeded (publickey).


Why is this?

Also, I notice after disabling Pubkey auth on the switch I am actually prompted for a login name twice?

Login: user1

Username: user1

Password: xxx

With pubkey enabled and my key passed and authorized, I am only seeing 1 login. Perhaps the key is getting me by the first login, but not the second?

Answer (Tom Watts):

Hi Michael, I believe there is 1 step you have missed.

You need to remove the local log in for the SSH.

I have generated a PPK file using PuttyGen then loaded the public RSA to the switch then defined my user name as tom. Once I removed the local log in and changed it to "none" I was able to enter my SSH user and then bypass any prompts. However I did have to type enable to get to exec mode.

login as: tom

Authenticating with public key "rsa-key-20130218"



Here is my config, please notice the bold section.

SG300-28P#show run



v1.2.7.76 / R750_NIK_1_2_584_002

CLI v1.0

file SSD indicator encrypted



ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0


voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

hostname SG300-28P

aaa authentication enable SSH none

aaa authentication login SSH none

line ssh

login authentication SSH

enable authentication SSH

password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted


ip ssh server

ip ssh pubkey-auth

crypto key pubkey-chain ssh

user-key tom rsa

key-string row AAAAB3NzaC1yc2EAAAABJQAAAIEAiyXSPjNqiE6d

key-string row afuUPRxWPKOwTWiDP3vLvEaHtuIOfeQdxJbBgjgb

key-string row vk/BIq/icKMjOUWBKytHBon3InbxGFjcuIftWkms

key-string row qffX7jALswFK4DZIbWhopDs+368oxd+r

key-string row 8pjIpR5UMB+0beM3UjAC+cO4CGlW7OVZr727C2Jh

key-string row YKbh/6s= rsa-key-20130218



snmp-server server

snmp-server community tom12345 rw view DefaultSuper

snmp-server group v1defaultGroup v3 auth notify Default read Default write Default

clock timezone " " -5

clock source sntp

clock dhcp timezone


interface vlan 1

ip address

no ip address dhcp


ip default-gateway

snmp-server set  rlAutomaticClockSetFromPCEnabled rlAutomaticClockSetFromPCEnabled true


Here is my public key I had used

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiyXSPjNqiE6dafuUPRxWPKOwTWiDP3vLvEaHtuIOfeQdxJbBgjgbvk/BIq/icKMjOUWBKytHBon3InbxGFjcuIftWkmsqffX7jALswFK4DZIbWhopDs+368oxd+r8pjIpR5UMB+0beM3UjAC+cO4CGlW7OVZr727C2JhYKbh/6s= rsa-key-20130218

You could see this post here

Credits´s to Tom Watts for this usefull information

Version history
Revision #:
1 of 1
Last update:
‎02-19-2013 05:27 AM
Updated by:
Labels (1)